AI security automation cockpit

HawkinsOperations builds AI-assisted security automation with review-ready output.

A working detection workflow turns fast, AI-assisted security work into reviewer-ready artifacts. Hoxline keeps public wording evidence-scoped as the loop moves.

Evidence-scoped claim lane

Runtime, signal, production, customer, and approval claims stay gated until evidence is promoted. Controlled validation is the current ceiling; this website is the reviewer surface.

Stage 04 / 06gating

Hoxline Gate

Hoxline holds the evidence ceiling with the artifact so wording cannot climb above what evidence supports.

OutputGated state + evidence ceiling
Open the Hoxline cockpit
Generated public status v0 data planefresh: under 336-hour freshness windowWebsite rendering reads generated public status; proof, validation, platform, detections, Hoxline, and org routing records own their respective facts.public-status.json
72controls fired

fresh from src/data/governanceSaves.ts @ 834c3d2

fresh - hawkinsoperations-website 834c3d2
31claims blocked

fresh from proof/records/reviewer-metrics-pipeline-v1-summary.json @ 70c6792

fresh - hawkinsoperations-proof 70c6792
106validation cases

fresh from proof/records/reviewer-metrics-pipeline-v1-summary.json @ 70c6792

fresh - hawkinsoperations-proof 70c6792
8proof records

fresh from proof/records/reviewer-metrics-pipeline-v1-summary.json @ 70c6792

fresh - hawkinsoperations-proof 70c6792
0public-safe

fresh from proof/records/reviewer-metrics-pipeline-v1-summary.json @ 70c6792

fresh - hawkinsoperations-proof 70c6792

Inspect / download / clone / run

Reviewer can verify

Generated status prevents stale website numbers from becoming accidental authority. The source routes and commands make the review path inspectable instead of presentation-only.

InspectDownloadCloneRun
  1. 01Snapshot
  2. 02Sources
  3. 03Download
  4. 04Clone
  5. 05Run
Download, clone, and run commandsReviewer-runnable
Clonegit clone https://github.com/HawkinsOperations/hoxline.git

Working directory after clone: hoxline repo root

Regenerate public statusnpm run public-status:generate

Repo: HawkinsOperations/hawkinsoperations-website. Working directory: hawkinsoperations-website repo root.

Verify public statusnpm run public-status:verify

Repo: HawkinsOperations/hawkinsoperations-website. Working directory: hawkinsoperations-website repo root.

Website site contractnpm run check:site

Repo: HawkinsOperations/hawkinsoperations-website. Working directory: hawkinsoperations-website repo root.

Website typechecknpm run typecheck

Repo: HawkinsOperations/hawkinsoperations-website. Working directory: hawkinsoperations-website repo root.

Website visual QAnpm run test:visual

Repo: HawkinsOperations/hawkinsoperations-website. Working directory: hawkinsoperations-website repo root.

These commands are review paths in their owning repositories. Website rendering displays the route; it does not convert command output into proof authority.

CAPABILITY_VISUAL_DATA_PACK_V1Hoxline PR #13ho-det-001-capability-visual-data-pack-v1stage_status_distribution 5
11Canonical loop stagesmeasured in PR #13 pack
7Authority surfacesmeasured in PR #13 pack
2Reviewer outputsJSON and Markdown
53Current pytest countpack validation run

Interactive product loop

Watch AI-assisted work become reviewer-ready output.

Tap any stage in the Hoxline loop to inspect what exists, the AI role, the output artifact, and the next handoff. Runtime and signal claims stay gated until evidence is promoted.

Stage 01labor

AI-assisted security work

What exists
AI drafts detections, queries, and reviewer notes at speed.
AI / automation role
AI produces labor fast; it holds no authority.
Output artifact
Draft candidate
Next handoff
Hands a named draft to Artifact Intake.
AI laborfast

$ ai draft --task ho-det-001 → candidate.draft

Flagship product

Hoxline Engine Preview: executable ProofOps control.

HawkinsOperations is not just a portfolio. Hoxline runs a controlled ProofOps loop for HO-DET-001 and emits bounded reviewer artifacts while runtime, signal, public release, production, customer, and approval claims remain gated.

stage_status_distribution

Visual stage status data

Capability Visual Data Pack v1 exposes the loop as status data, not as a flat warning list.

PASS
7
BLOCKED
1
MISSING_EVIDENCE
1
HUMAN_REVIEW_REQUIRED
1
REFERENCE_ONLY
1

generated_outputs_chart

Output artifact wall

Reviewer-readable outputs are surfaced as artifacts. They are routes to inspect, not proof promotion.

json

Full-loop JSON

Target reader: reviewer or website data loader.

Open artifact ->
JSON: 1Markdown: 1Schema: 2

claim_decision_chart

Allowed, blocked, and required evidence

Toggle the decision families. Blocked claims are visible as boundaries, not as product claims.

allowed

Allowed controlled claim

One allowed controlled-validation claim is present in the visual data pack.

HO-DET-001 has controlled validation evidence from controlled positive and negative process-creation fixtures and remains under review.
7Controlled positivesmeasured
7Controlled negativesmeasured
7Matched positivesmeasured
0Missed positivesmeasured
0False-positive negativesmeasured
23Blocked familiesclaim authority metrics
17Missing evidence groupsclaim decision chart
8Output contract teststest_hoxline_gauntlet.py

Current proof spine

Proof authority, validation engine, platform control layer.

HawkinsOperations exposes built work first: proof records, controlled validation, platform ledgers, governed metrics, reviewer routes, and claim-boundary controls are separated so reviewers can inspect the system without trusting the website presentation.

4governed cases
49validation fires
106validation cases
8proof records
31claims blocked
0public-safe

Generated public-status rendering input: fresh: under 336-hour freshness window. Counts route to owning proof, platform, and validation records; this website does not authorize them.

Layer 01

Proof Authority

Proof records, proof cards, proof packs, reviewer maps, accomplishment ledgers, and authority-boundary case studies control what can be claimed.

Layer 02

Validation Engine

Local pipelines, parity checks, case-packet contracts, claim scanners, activity ledgers, and CI gates turn detection claims into repeatable checks.

Layer 03

Platform Control Layer

Factory commands, ledger gates, state manifests, runtime candidates, recoverability drills, and SOAR packet contracts turn detections into governed workflow artifacts.

Hero system · Controlled test validated

HO-DET-001 Receipt Chain

Supports
Connects detection source, validation receipt, platform contract, proof case study, website route, and reviewer handoff.
Boundary
Open proof ceilingDoes not prove SOCaaS deployment, customer deployment, FortiSIEM integration, production readiness, or public-safe runtime proof.
Trace HO-DET-001
Hero system · append-gated accounting spine

Lifetime Case Ledger v1

Supports
Provides governed-case accounting, append gates, verifier-backed metrics, and state-manifest control.
Boundary
Open proof ceilingDoes not prove production case tracking, autonomous closure, or public runtime case proof.
Inspect ledger route
Hero system · reviewer-visible metrics

Reviewer Metrics Pipeline v1

Supports
Separates strict governed cases from validation activity, proof records, and blocked-claim counts.
Boundary
Open proof ceilingDoes not prove production SOC metrics, customer metrics, runtime case volume, or public-safe runtime proof.
Open proof metrics route
Supporting system · private candidate lane

Runtime Case Collector v0

Supports
Separates route, dedupe, append-gate handling, and Runtime Route Proof v1 private-candidate review routing.
Boundary
Open proof ceilingDoes not prove governed case append, public runtime-active proof, public signal-observed proof, or public-safe runtime proof.
Review runtime boundary
Supporting system · workflow trust boundary

Runner Trust Boundary

Supports
Separates public PR checks from manually triggered trusted-runner proof routes.
Boundary
Open proof ceilingDoes not expose private runner details or claim broad self-hosted PR safety.
Open platform contracts
Supporting system · reviewer-routing controls

Standing Governance Controls

Supports
Maintains blocked-claim controls, reviewer routing, PR review rituals, and proof-boundary enforcement surfaces.
Boundary
Open proof ceilingDoes not make GitHub Project metadata, website rendering, runtime truth, or signal truth into proof.
Open Claim Firewall
Supporting system · bounded reviewer package

Proof Pack 001 Quick Check

Supports
Routes the 90-second reviewer check, release path, manifest, hash/verification path, and verifier cards.
Boundary
Open proof ceilingDoes not prove runtime promotion, public-safe runtime proof, or production deployment.
Open Proof Pack 001
BoundaryWebsite rendering is not proof; public navigation only. This section compresses the operating model for reviewers; it does not promote proof, runtime-active status, signal-observed status, public-safe runtime proof, production/SOCaaS/customer deployment, FortiSIEM integration, autonomous SOC, AI disposition, or analyst disposition authority.

Proof loop

Generate → Constrain → Validate → Review → Publish.

Each stage shows what happens, what control sits over it, and what gets blocked. The verifier owns pass and fail; human review owns merge authority.

CLAIM FIREWALLUnsupported public security claims fail before they ship.Open the public wording gate that keeps website rendering below proof authority.Inspect Claim Firewall ->
  1. 01

    Generate

    Happens
    AI-assisted drafting accelerates detection-as-code, SPL, and reviewer prose.
    Control
    Generation runs against repo source; no public copy ships from a draft.
    Blocked
    AI cannot decide disposition or promote claims.
  2. 02

    Constrain

    Happens
    Schema, contracts, and the blocked-claim scanner cap wording at source.
    Control
    Public surfaces are gated by a site-contract scan and runtime boundary rules.
    Blocked
    Unsafe wording (runtime, customer, fleet, production) is not allowed to render.
  3. 03

    Validate

    Happens
    Deterministic controlled-test packages decide pass or fail.
    Control
    The verifier owns the gate; case packets stay bounded to the validation result.
    Blocked
    Source presence is not signal observation; ceilings remain capped.
  4. 04

    Review

    Happens
    Human review must resolve threads before merge authority is granted.
    Control
    Green CI is not merge authority; review and scope sit above checks.
    Blocked
    AI-approved disposition and analyst-approved disposition are not claimed.
  5. 05

    Publish

    Happens
    Bounded reviewer artifacts surface: proof records, receipts, governance saves.
    Control
    Stronger claims require a separate promotion path with new evidence.
    Blocked
    Private-only evidence and host-local paths stay off public surfaces.

Cyber Kill Chain / MITRE ATT&CK

Attack context routes into proof boundaries.

Use attack-lifecycle mapping to orient detection intent, ATT&CK context, validation state, and claim ceilings. The map helps reviewers navigate the system; it does not prove live coverage or runtime signal.

  1. Cyber Kill ChainOrient where a behavior sits in the attack lifecycle.
  2. MITRE ATT&CKMap detection intent to ATT&CK techniques and tactics.
  3. Detection SourceInspect the repo-backed detection package behind the mapping.
  4. Validation StateRead controlled-test counts and the claim ceiling.
  5. Proof BoundaryValidation records and proof boundaries authorize claims; live coverage and runtime signal stay blocked.RUNTIME / SIGNAL · BLOCKED
Mapped families
  • Endpoint / PowerShellvalidated
  • Endpoint / Persistenceprivate · not public-safe
  • Cloud / IAMfixture-only
  • Identity / Access Behaviorvalidated
  • Telemetry / Defense Evasionvalidation planned
  • Network / Visibility Contractcontract only

Boundary. Mapping is reviewer navigation. Validation records and proof boundaries authorize claims.

Inspect coverage map

Governance Saves · generated from source records

Governance controls that fired before overclaims shipped

72 public-facing records from GS-001 through GS-080 source range. Private-only records are excluded from this surface.

Open explorer
16782133216572controls firedpublic-facing
View as table
Controls fired by category across 72 public-facing records.
CategoryCountWhat it covers
Claim boundary16Public copy was downgraded, narrowed, or held to match repo-visible evidence — never inflated to runtime, signal, or production wording.
Runtime boundary7Private runtime evidence, mirror traffic, and legacy automation were kept out of public runtime/signal claims.
Validator hardening8Review-thread fixes converted verifier edge cases into deterministic fail-closed paths before merge.
AI authority2AI output stayed support-only. Verifiers enforce human review and block AI-decided disposition.
Merge authority13Green CI never became merge authority. Review, scope, resolved threads, and human approval stayed above checks.
Evidence protection3Non-public evidence, host-local paths, and operator notes were kept off public surfaces and out of public proof.
Release gate2Release wording, checksums, and reviewer-package state were gated before any "approved release" claim could surface.
Branch hygiene16Branch divergence, dirty trees, wrong-branch preflights, and direct-main pushes were stopped before they touched source truth.
Workflow hardening5Required-check rulesets, audit findings, and CODEOWNERS reality were treated as enforcement evidence only when verified.

Private-only records are excluded from this surface.